CVE-2018-19859

MEDIUM

OpenRefine < 3.2 beta - Path Traversal via ZIP Archive Relative Pathname

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-19859. PoCs published by WhiteOakSecurity.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2018-19859, targeting OpenRefine < 3.1-beta. It leverages a directory traversal vulnerability to upload a malicious Java extension, achieving remote code execution via a reverse shell.

Description

OpenRefine before 3.2 beta allows directory traversal via a relative pathname in a ZIP archive.

Exploits (1)

nomisec WORKING POC 1 stars
by WhiteOakSecurity · poc
https://github.com/WhiteOakSecurity/CVE-2018-19859

This repository contains a functional proof-of-concept exploit for CVE-2018-19859, targeting OpenRefine < 3.1-beta. It leverages a directory traversal vulnerability to upload a malicious Java extension, achieving remote code execution via a reverse shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenRefine < 3.1-beta
No auth needed
Prerequisites: Vulnerable OpenRefine instance · Ability to upload a malicious zip archive via the Create Project functionality
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/OpenRefine/OpenRefine/issues/1840
Third Party Advisory x_refsource_confirm
https://github.com/OpenRefine/OpenRefine/pull/1901

Scores

CVSS v3 6.5
EPSS 0.1061
EPSS Percentile 93.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-22
Status published
Products (17)
openrefine/openrefine 1.0 (6 CPE variants)
openrefine/openrefine 1.0.1
openrefine/openrefine 1.0.2
openrefine/openrefine 1.0.3
openrefine/openrefine 1.0.5
openrefine/openrefine 1.0.6
openrefine/openrefine 1.0.7
openrefine/openrefine 1.1
openrefine/openrefine 2.0
openrefine/openrefine 2.1 (2 CPE variants)
... and 7 more
Published Dec 05, 2018
Tracked Since Feb 18, 2026